Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Restoring Nominal Certificate Database

292 views
Skip to first unread message

David E. Ross

unread,
Jan 31, 2011, 5:50:27 PM1/31/11
to mozilla-dev-s...@lists.mozilla.org
I have edited some root certificates, turning off their trust
bits. What file should I delete to restore my configuration to its
as-built NSS database?

--

David E. Ross
<http://www.rossde.com/>

On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.

Nelson Bolyard

unread,
Feb 5, 2011, 5:16:43 PM2/5/11
to mozilla-dev-s...@lists.mozilla.org
On 2011-01-31 14:50 PDT, David E. Ross wrote:
> I have edited some root certificates, turning off their trust
> bits. What file should I delete to restore my configuration to its
> as-built NSS database?

cert*.db holds the trust bits. You could
- export the certs you care about, then make a new cert DB and reimport, or
- just set all the trust bits back.

--
/Nelson Bolyard

David E. Ross

unread,
Feb 5, 2011, 8:23:02 PM2/5/11
to mozilla-dev-s...@lists.mozilla.org

I have a file named cert8.db. Does that hold ALL trust bits or only the
trust bits that I have changed?

Kathleen Wilson

unread,
Feb 7, 2011, 3:17:46 PM2/7/11
to mozilla-dev-s...@lists.mozilla.org
On 2/5/11 5:23 PM, David E. Ross wrote:
> On 2/5/11 2:16 PM, Nelson Bolyard wrote:
>> On 2011-01-31 14:50 PDT, David E. Ross wrote:
>>> I have edited some root certificates, turning off their trust
>>> bits. What file should I delete to restore my configuration to its
>>> as-built NSS database?
>>
>> cert*.db holds the trust bits. You could
>> - export the certs you care about, then make a new cert DB and reimport, or
>> - just set all the trust bits back.
>>
>
> I have a file named cert8.db. Does that hold ALL trust bits or only the
> trust bits that I have changed?
>


My understanding is that nssckbi.dll has the default certs and trust
bits, and cert8.db has the changes that you have manually made (e.g.
changed trust bits and imported certs).

From: http://support.mozilla.com/en-US/kb/profiles
"Security certificate settings: The cert8.db file stores all your
security certificate settings and any SSL certificates you have imported
into Firefox."

Also see:
http://support.mozilla.com/en-US/kb/Backing%20up%20your%20information

and

http://support.mozilla.com/en-US/kb/Recovering%20important%20data%20from%20an%20old%20profile


Kathleen

Kathleen Wilson

unread,
Feb 7, 2011, 3:46:44 PM2/7/11
to mozilla-dev-s...@lists.mozilla.org


I have added a section called "How To Restore Default Root Certificate
Settings" to https://wiki.mozilla.org/CA:UserCertDB

I tested the following on my system, and it worked. The problem that I
see is that it completely restores the default, which means that I loose
all of the certs that I have manually imported. Of course, I can restore
all of my manual settings by following the same steps except to move my
old cert8.db file back.

1. Locate the cert8.db file as described in
http://support.mozilla.com/en-US/kb/Backing%20up%20your%20information
2. Shut down Firefox
3. Move the cert8.db file into a different folder/directory.
4. Restart Firefox

Kathleen


David E. Ross

unread,
Feb 7, 2011, 7:15:20 PM2/7/11
to mozilla-dev-s...@lists.mozilla.org

Thanks.

Given that many users do not even know how to find their profiles, I
would hope that bug #558222 could be implemented. In any case, that RFE
bug requests the ability to remove one certificate from cert8.db without
removing the entire file.

It would also help if bug #545498 were implemented so that a user could
determine how cert8.db differs from the nominal NSS database.

0 new messages